Hacker Breaks Into OnStar’s Apps; GM quickly issues a fix

The bad news is that the hack is legitimate.

Kamkar’s Raspberry Pi-based device, which cost less than $100 to make, has been described as an invention which can “locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers”, in other words, perform a man-in-the-middle (MITM) attack to steal data across a communication channel and potentially plant code suitable for exploiting software. GM worked to quickly issue a fix, but Samy Kamkar, the creator of the hack, has confirmed to CNET that the fix was not successful.

On Thursday, a hacker named Samy Kamkar revealed a gadget that he claims enables the takeover of any GM vehicle with the OnStar system.

OnStar’s RemoteLink proves vulnerable.

The device is called OwnStar and it’s the creation of Samy Kamkar, a security researcher and hardware hacker who makes a habit of finding clever ways around the security of various systems, including garage doors, wireless keyboards, and drones. Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats, and design vehicle systems that can be updated with enhanced security as these potential threats arise. Automakers and other tech firms are racing to outfit cars with more technology, especially ones that connect them via the Internet. The recall came just days after Wired magazine reported hackers could wirelessly take control of functions such as steering, transmission and brakes in a 2014 Jeep Cherokee.

The hack is not quite as bad as it sounds. That said, the idea that any stranger could be tracing your car’s location and unlocking its doors is very disconcerting to say the least.

Kamkar posted a video on Thursday that showed how the device works, but he plans to reveal more details how the hack works at the big security conference Defcon next week.

GM has already issued a fix to the system which did not require an update to the RemoteLink app, so this vulnerability is already patched.

The hack is possible because the OnStar app doesn’t check for phony encryption certificates, allowing Kamkar’s device to easily take over the control of OnStar system. For the time being, it is recommended that you steer clear of the RemoteLink app.